Port 443 timeout using Netcat but is working in browser
-
Hi,
I have a strange behavior:
When i try the following command (WAN) i got a timeout
nc -v domain.com 443When i try the following command (LAN) it works
nc -v localip 443The web site https://domain.com is working and is available
On the port 80 all is ok (with same config)
Any idea where pfsense block my netcat request ?Thanks
-
From your lan to your wan IP.. What do you have on your wan 443? A port forward, reverse proxy? Did you setup nat reflection?
-
Sorry i didnt told it, a simple nat redirect
WAN * 443 to LAN localip 443With equivalent rule in firewall
I will updated main post with screen shots after post restriction
Firewall
Nat
-
So nat reflection, what type pure proxy? If you do not do the correct nat reflection you run into asymmetrical problems..
Does it work from outside? Test with can you see me . org
Is pfsense listening on 443? It normally listens on 80, etc..
Why would you not just resolve domain.tld to your local IP via your local dns, host override vs doing a reflection, at best your hairpinning all your traffic for no reason. And can run into issues with asymmetrical traffic flow.
-
Thanks for your reply
PFSense web interface has been changed to another port (https 8080)
All 443/80 trafic is redirected to 192.168.1.4 which is an Apache displaying content from domain name sent in the client request.
In fact all is working well (or it seems to works) website are displaying on the browsers.
The trouble come from tools like netcat, telnet, openssl connect, etc ... on port 443 going timeout like if PFSense was bloking the response
Same trouble with all other ports. Only port 80 seems to respond
For exemple:
nc -v externalIP 111 nc: connect to externalIP port 111 (tcp) failed: Connection timed outbut FTP Client works well (NAT 111 WAN to 21 LAN)
nc -v domain.com 80 Connection to domain.com 80 port [tcp/http] succeeded!The only port working as attempt
-
Did you turn off the 80 redirect on pfsense? pfsense will attempt to redirect traffic to "it" on 80 to its ssl port.
If browsers and clients working - then what is the problem?
-
What do you mean by turn off 80 redirect ?
There is the NAT on *:80 WAN to 192.168.1.4:80 LAN with firewall rules for it.
The PFSense Web site is on port 8080 https.The trouble come from network supervision like Zabbix:
2:58:54 High PROBLEM Service web https is down on 12:58:52 High PROBLEM Service web https is down on 12:58:50 High PROBLEM Service web https is down on ....And other test cant be done like SSL days left on validity for exemple
With classical NAT (physical router) this same schema is working. I really fell like PFSense is blocking the response for a reason i don't know
-
It wouldn't be "blocking" do a sniff.. Clearly there is a response since you say browsers and clients work.
But they might be more forgiving if response comes from different mac - asymmetrical.
-
Thanks,
i missed this one, now all port doesn't not respond (but it is ok)
I just saw something:
Netcat is working as it should for external network, and all is okExcAst:~ # nc -v domain.com 443 Connection to domain.com 443 port [tcp/https] succeeded! ExcAst:~ # nc -v domain.com 80 Connection to domain.com 80 port [tcp/http] succeeded! ExcAst:~ # nc -v domain.com 777 Connection to domain.com 777 port [tcp/multiling-http] succeeded! SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8The problem come from internal netcat request (LAN)
maybe it is link to this:
DNS fwd/rev mismatch: domain.com != machinedomainWebsites are working in Lan browsers
-
@Frogg said in Port 443 timeout using Netcat but is working in browser:
DNS fwd/rev mismatch: domain.com != machinedomain
which is why what your doing is not the correct solution.. What you should be doing is dns resolution to access your machines via their local IPs vs nat reflection..
-
Do you have any clue on how i could achieve something like that ?
-
Yeah a simple host override so that whatever.domain.tld resolves to the actual local IP you want 192.168.1.4 I take it.
-
I added the domain name to the local 192.168.1.4 machine if i check /etc/hostname i get the domain name
But i don't think it would fix it has the domain name in the comparaison il the host xx.xx.xx.xx.rev.poneytelecom.eu reverse DNS
Or i am really missing something
-
On pfsense create a host override - your clients point to pfsense for dns right?
So whatever.domain.tld points to your local IP 192.168.1.4, and then the ptr for 192.168.1.4 would also resolve to that..
-
Thanks for the help,
but i fill like i am lacking of knowledge on this part.In network config of 192.168.1.4 (and all local machines) i use 192.168.1.1 as DNS
In the interface DNS resolver was disabled, so i enabled it and added the Host Overrides
Dig domain.com
;; ANSWER SECTION: domain.com 960 IN A internetIpDig - x domain.com
;; AUTHORITY SECTION: in-addr.arpa. 3600 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2020081164 1800 900 604800 3600i think i am missing something to have the same result as yours
-
@Frogg said in Port 443 timeout using Netcat but is working in browser:
i use 192.168.1.1 as DNS
And what is that? Is that not pfsense? This only works if what your using for dns for your local network actually ends up asking pfsense.. So the host override can be returned.
If your network is using 192.168.1.1 for dns, then setup your dns records there.
-
Yes 192.168.1.1 is PFSense
Maybe it require a reboot, i ll give a try -
You said the resolver was disabled - where you using forwarder (dnsmasq) If so then the host override would be setup there and not in the resolver (unbound). Both forwarder and resolver allow for host overrides. Set the override in whichever one your using.
You only can have either or running forwarder or resolver. You can not run both listening on 53.
A reboot is not required that is for sure.. But you may have issue with local caching on the client, so you would have to flush the local dns cache of whatever client your testing from.
-
Thanks again for the help!
Forwarder & Resolver (Now changed to enabled) was disabled
It seems i am using the default cache (so it should be flushed with reboot)
systemd-resolve --flush-caches Failed to flush caches: Unit dbus-org.freedesktop.resolve1.service not found.After reboot result is the same
any idea ?
-
@Frogg said in Port 443 timeout using Netcat but is working in browser:
Forwarder & Resolver (Now changed to enabled) was disabled
Huh? You can not use both at the same time.. You run into a race condition.. Which one are you using? Place your host override in the one your using.. They both allow for overrides.
Do a directed query to pfsense to validate it returns your records you put in host override..
C:\>dig @192.168.9.253 ahost.domain.tld ; <<>> DiG 9.16.6 <<>> @192.168.9.253 ahost.domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8719 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ahost.domain.tld. IN A ;; ANSWER SECTION: ahost.domain.tld. 3600 IN A 192.168.1.4 ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Sep 08 13:40:59 Central Daylight Time 2020 ;; MSG SIZE rcvd: 61 C:\>nslookup Default Server: pi-hole.local.lan Address: 192.168.3.10 > server 192.168.9.253 Default Server: sg4860.local.lan Address: 192.168.9.253 > ahost.domain.tld Server: sg4860.local.lan Address: 192.168.9.253 Name: ahost.domain.tld Address: 192.168.1.4Pfsense in my case is 192.168.9.253
